9

What I'd like to ask is if anybody knows about an hardware USB-dongle for software protection which offers a very complete out-of-the-box API support for cross-platform Java deployments.

Its SDK should provide a jar (only one, not one different library per OS & bitness) ready to be added to one's project as a library.

  • The jar should contain all the native stuff for the various OSes and bitnesses
  • From the application's point of view, one should continue to write (api calls) once and run everywhere, without having to care where the end-user will run the software
  • The provided jar should itself deal with loading the appropriate native library

Does such a thing exist?

With what I've tried so far, you have different APIs and compiled libraries for win32, linux32, win64, linux64, etc (or you even have to compile stuff yourself on the target machine), but hey, we're doing Java here, we don't know (and don't care) where the program will run!

And we can't expect the end-user to be a software engineer, tweak (and break!) its linux server, link libraries, mess with gcc, litter the filesystem, etc...

In general, Java support (in a transparent cross-platform fashion) is quite bad with the dongle SDKs I've evaluated so far (e.g. KeyLok and SecuTech's UniKey). I even purchased (no free evaluation kit available) SecureMetric SDKs&dongles (they should've been "soooo" straighforward to integrate -- according to marketing material :\ ) and they were the worst ever: SecureDongle X has no 64bit support and SecureDongle SD is not cross-platform at all.

So, has anyone out there been through this and found the ultimate Java security usb dongle for cross-platform deployments?

Note: software is low-volume, high-value; application is off-line (intranet with no internet access), so no online-activation alternatives and the like.

-- EDIT

Tried out HASP dongles (used to be called "Aladdin"), and added them to the no-no list: here, too, there is no out-of-the-box (out-of-the-jar) support: e.g. end-linux-user has to manually put the .so library (the specific file for the appropriate bitness) in the right place on his filesystem, and export an env. variable accordingly.

Unai Vivi
  • 2,893
  • 3
  • 25
  • 44
  • Q: Is the end-user assumed to have a JRE already installed, or must the (platform-specific) JRE(s) be on the USB dongle? – paulsm4 Jan 17 '12 at 19:12
  • Hi @paulsm4, thank you for your comment. I rely on the JRE installed on the system. Also considering that the dongles with included flash memory tend to cost much more per unit than the simpler dongles (which normally allow a few hundred bytes of data storage). – Unai Vivi Jan 17 '12 at 20:26
  • "Software protection" is an uphill battle: debuggers, VMs, etc exist. any scheme will eventually get cracked, esp when the value is high. That's why e.g. Oracle DB does not come with sophisticated (if any) copy protection. If you can't provide an online server to depend on, you can try to provide an offline server: ship a complete computer with your app installed, a la Google search appliance. This also eliminates the problem of platform compatibility :) – 9000 Jan 23 '12 at 21:23
  • @9000 I like your "_If you can't provide an online server to depend on, you can try to provide an offline server: ship a complete computer with your app installed, a la Google search appliance._" suggestion, but unfortunately it doesn't apply to my case... [...unless I find a 50€ plug-computer with twice the hardware capabilities of today's best plug-computers] – Unai Vivi Jan 23 '12 at 22:12
  • 1
    @UnaiVivi you might look into GumStix. not quite 50€ , but still worth looking into. – Sheriff Jan 24 '12 at 18:51
  • @Sheriff Thanks for your suggestion: I'm browsing the website, it looks very interesting (just a little uncertain about whether a 600MHz ARM CPU with little RAM can run Apache Tomcat properly and deal with dynamic content in a responsive way) – Unai Vivi Jan 24 '12 at 19:20
  • @UnaiVivi yeah. I'm not so sure it would. Looks like a dongle might be the way to go. – Sheriff Jan 24 '12 at 19:24
  • @UnaiVivi If this happens to be an oilfield application (what I would assume from the description) let me know. I can point you in the direction of how various others have solved the issue. – Sheriff Jan 24 '12 at 19:26

3 Answers3

3

Full disclaimer: I work for a company that makes software-protection dongles (CodeMeter). But I believe we might have a solution that meets your requirement: we have a single API for all platforms (Win, Mac, Linux, etc both 32- and 64-bits). Each end-user machine merely requires a runtime (service on Windows; daemon on Linux). We use a native Java API which uses TCP/IP to call our runtime, so no special device drivers are required. You can do activations either before you ship the dongle (pre-programming), or via file exchange (NikeNet) on deployments with no Internet access, or you can remove the dongle, take it to a machine that DOES have Internet connectivity and update the license there.

At a higher level than the API we have AxProtector, which is an automated protection/encryption tool that you can use to test our protection system with no source code changes. This would let you test the implementation on all platforms you are interested in--you don't need to create multiple versions for different platforms.

We had a Fortune 100 company use this to protect a Java app that ran on non-Intel Solaris, so we know it's been stress-tested as a cross-platform solution.

We have a free fully-functional eval system which we can get you asap. If you email me at the email address in my profile we can ship you out an SDK and help you quickly determine if this will solve your problem.

John Browne
  • 732
  • 4
  • 6
  • Thank you for you post: I'm pleasantly surprised about the smart solution of calling your runtime binaries through a TCP call (most competing dongles make you struggle with direct USB communication), I've been wondering for some time if some company actually offered that. I'm very interested in evaluating a Wibu dongle, but I can't see your e-mail on your profile (I think one can see his own mail on his own profile only): can you disclose it here in a comment? (or provide me with another way of contacting you) – Unai Vivi Jan 24 '12 at 19:25
  • Hello Unai; you can email me: john dot browne at wibu.us – John Browne Jan 24 '12 at 20:59
  • I got the evaluation kit: finally, after having tried 8 competing dongle companies, I found the one that does exactly what I needed (i.e. what I asked in my question)! – Unai Vivi Feb 17 '12 at 02:08
  • Important note I forgot to mention: Wibu's CodeMeter dongles are **MUCH** more expensive compared to competitors: 67,60 €/dongle as opposed to 5,90 $/dongle for another company's dongles. That's almost **16 times** more! – Unai Vivi Feb 24 '12 at 15:54
2

You can use Dinkey Pro dongles to achieve exactly this. While they do use separate native libraries for each operating system and architecture you just need to call their Java API and it takes care of any platform specific bits. Wrap the libraries up in a JAR file with the .class (the API) and you've got a neat solution. The dongles themselves are driverless.

Nick Smith
  • 146
  • 2
0

I can only recommend to avoid the SecuTech UniKey system. During evaluation the product met all requirements we needed. We started integrating this solution and discovered one issue after another. Here is a short list of the major issues that are part of the SDK 6.2.7:

  1. Enveloper settings change randomly when saving and loading the same solution (Video).
  2. DLL files that are wrapped with the enveloper do not load.
  3. The console version of the enveloper for script based builds does not work. It is unable to wrap exe/dll's that can be wrapped with the GUI based version of the enveloper.

Support is reactive but does not really tackle the problems.

After all we wasted almost a month of work integrating this protection system, but now have to switch due to the massive quality issues.

Xcessity
  • 489
  • 4
  • 11